Changeset 11858

Timestamp:

02/15/2018 03:52:40 PM (7 years ago)

Author:

espellcaste

Message:

Make use of bp_is_post_request() instead of hardcoding POST verifications directly.

BuddyPress is not making use of the bp_is_post_request() in several ajax scenarios to confirm if the post request is indeed a POST request. Instead, it is hardcoding the check directly. This change updates those places making use of this function.

Props DjPaul

Fixes #7684

Location:

trunk/src

Files:

• bp-core/bp-core-attachments.php (modified) (2 diffs)
• bp-core/bp-core-avatars.php (modified) (3 diffs)
• bp-settings/bp-settings-actions.php (modified) (4 diffs)
• bp-templates/bp-legacy/buddypress-functions.php (modified) (18 diffs)
• bp-templates/bp-nouveau/includes/activity/ajax.php (modified) (7 diffs)
• bp-templates/bp-nouveau/includes/ajax.php (modified) (1 diff)
• bp-templates/bp-nouveau/includes/friends/ajax.php (modified) (1 diff)
• bp-templates/bp-nouveau/includes/groups/ajax.php (modified) (1 diff)
• bp-xprofile/bp-xprofile-actions.php (modified) (1 diff)

trunk/src/bp-core/bp-core-attachments.php

@@ -1190 +1190 @@
  */
 function bp_attachments_cover_image_ajax_upload() {
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_die();
     }
@@ -1379 +1379 @@
  */
 function bp_attachments_cover_image_ajax_delete() {
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }

trunk/src/bp-core/bp-core-avatars.php

@@ -810 +810 @@
  */
 function bp_avatar_ajax_delete() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }
@@ -953 +952 @@
  */
 function bp_avatar_ajax_upload() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_die();
     }
@@ -1238 +1236 @@
  */
 function bp_avatar_ajax_set() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }

trunk/src/bp-settings/bp-settings-actions.php

@@ -28 +28 @@
  */
 function bp_settings_action_general() {
-
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Bail if no submit action.
-    if ( ! isset( $_POST['submit'] ) )
-        return;
+    if ( ! isset( $_POST['submit'] ) ) {
+        return;
+    }
 
     // Bail if not in settings.
-    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'general' ) )
-        return;
+    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'general' ) ) {
+        return;
+    }
 
     // 404 if there are any additional action variables attached
@@ -260 +261 @@
  */
 function bp_settings_action_notifications() {
-
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Bail if no submit action.
-    if ( ! isset( $_POST['submit'] ) )
-        return;
+    if ( ! isset( $_POST['submit'] ) ) {
+        return;
+    }
 
     // Bail if not in settings.
-    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'notifications' ) )
+    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'notifications' ) ) {
         return false;
+    }
 
     // 404 if there are any additional action variables attached
@@ -307 +309 @@
  */
 function bp_settings_action_capabilities() {
-
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Bail if no submit action.
-    if ( ! isset( $_POST['capabilities-submit'] ) )
-        return;
+    if ( ! isset( $_POST['capabilities-submit'] ) ) {
+        return;
+    }
 
     // Bail if not in settings.
-    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'capabilities' ) )
+    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'capabilities' ) ) {
         return false;
+    }
 
     // 404 if there are any additional action variables attached
@@ -381 +384 @@
  */
 function bp_settings_action_delete_account() {
-
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Bail if no submit action.
-    if ( ! isset( $_POST['delete-account-understand'] ) )
-        return;
+    if ( ! isset( $_POST['delete-account-understand'] ) ) {
+        return;
+    }
 
     // Bail if not in settings.
-    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'delete-account' ) )
+    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'delete-account' ) ) {
         return false;
+    }
 
     // 404 if there are any additional action variables attached

trunk/src/bp-templates/bp-legacy/buddypress-functions.php

@@ -780 +780 @@
  */
 function bp_legacy_theme_object_template_loader() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Bail if no object passed.
-    if ( empty( $_POST['object'] ) )
-        return;
+    if ( empty( $_POST['object'] ) ) {
+        return;
+    }
 
     // Sanitize the object.
@@ -792 +793 @@
 
     // Bail if object is not an active component to prevent arbitrary file inclusion.
-    if ( ! bp_is_active( $object ) )
-        return;
+    if ( ! bp_is_active( $object ) ) {
+        return;
+    }
 
     /**
@@ -860 +862 @@
  */
 function bp_legacy_theme_activity_template_loader() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     $scope = '';
@@ -921 +923 @@
     $bp = buddypress();
 
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Check the nonce.
@@ -1010 +1012 @@
     $bp = buddypress();
 
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         return;
     }
@@ -1079 +1080 @@
  */
 function bp_legacy_theme_delete_activity() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Check the nonce.
@@ -1117 +1118 @@
  */
 function bp_legacy_theme_delete_activity_comment() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Check the nonce.
@@ -1159 +1160 @@
     $bp = buddypress();
 
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Check that user is logged in, Activity Streams are enabled, and Akismet is present.
@@ -1204 +1205 @@
 function bp_legacy_theme_mark_activity_favorite() {
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     if ( ! isset( $_POST['nonce'] ) ) {
@@ -1233 +1235 @@
  */
 function bp_legacy_theme_unmark_activity_favorite() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     if ( ! isset( $_POST['nonce'] ) ) {
@@ -1264 +1266 @@
  */
 function bp_legacy_theme_get_single_activity_content() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     $activity_array = bp_activity_get_specific( array(
@@ -1304 +1306 @@
  */
 function bp_legacy_theme_ajax_invite_user() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     check_ajax_referer( 'groups_invite_uninvite_user' );
@@ -1387 +1389 @@
  */
 function bp_legacy_theme_ajax_addremove_friend() {
-
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Cast fid as an integer.
@@ -1441 +1442 @@
  */
 function bp_legacy_theme_ajax_accept_friendship() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     check_admin_referer( 'friends_accept_friendship' );
@@ -1461 +1462 @@
  */
 function bp_legacy_theme_ajax_reject_friendship() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     check_admin_referer( 'friends_reject_friendship' );
@@ -1481 +1482 @@
  */
 function bp_legacy_theme_ajax_joinleave_group() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     // Cast gid as integer.
@@ -1552 +1553 @@
  */
 function bp_legacy_theme_ajax_close_notice() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     $nonce_check = isset( $_POST['nonce'] ) && wp_verify_nonce( wp_unslash( $_POST['nonce'] ), 'bp_messages_close_notice' );
@@ -1584 +1585 @@
  */
 function bp_legacy_theme_ajax_messages_send_reply() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
-        return;
+    if ( ! bp_is_post_request() ) {
+        return;
+    }
 
     check_ajax_referer( 'messages_send_message' );

trunk/src/bp-templates/bp-nouveau/includes/activity/ajax.php

@@ -86 +86 @@
  */
 function bp_nouveau_ajax_mark_activity_favorite() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }
@@ -127 +126 @@
  */
 function bp_nouveau_ajax_unmark_activity_favorite() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }
@@ -164 +162 @@
  */
 function bp_nouveau_ajax_clear_new_mentions() {
-    // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }
@@ -194 +191 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error( $response );
     }
@@ -266 +263 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error( $response );
     }
@@ -327 +324 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error( $response );
     }
@@ -564 +561 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error( $response );
     }

trunk/src/bp-templates/bp-nouveau/includes/ajax.php

@@ -16 +16 @@
  */
 function bp_nouveau_ajax_object_template_loader() {
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error();
     }

trunk/src/bp-templates/bp-nouveau/includes/friends/ajax.php

@@ -63 +63 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         wp_send_json_error( $response );
     }

trunk/src/bp-templates/bp-nouveau/includes/groups/ajax.php

@@ -40 +40 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) || empty( $_POST['action'] ) ) {
+    if ( ! bp_is_post_request() || empty( $_POST['action'] ) ) {
         wp_send_json_error( $response );
     }

trunk/src/bp-xprofile/bp-xprofile-actions.php

@@ -55 +55 @@
 
     // Bail if not a POST action.
-    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
+    if ( ! bp_is_post_request() ) {
         return;
     }